Limitations in PAN-OS 10.1
What are the limitations related to PAN-OS 10.1 releases?
The following are limitations
associated with PAN-OS 10.1.
Issue ID | Description |
|---|---|
PAN-190727 | ( PA-5450 only ) Log interfaces must
be configured to ensure they are not in the same subnetwork as the management
interface. Configuring both interfaces in the same subnetwork can
cause connectivity issues and result in the wrong interface being
used for log forwarding. |
PAN-186061 | On the Panorama management server, pushing
a configuration change to managed firewalls fails if a HIP Profile
( Objects GlobalProtect HIP Profiles Policies Security Policies Authentication
Workaround: Remove any
HIP Profiles associated with a Security or Authentication policy
rule from the Panorama CLI.
|
Alternatively, upgrade to PAN-OS 10.1.5
or later release to avoid needing to remove HIP Profile association
from your Security and Authentication policy rules.
Workaround: Load
the running configuration.
| |
PAN-182912 | Due to a change in default root partition
threshold, PAN-OS may print a critical log on a PA-7050 stating
that disk usage has exceeded the limit. Workaround: Replace
the first-generation PA-7050 SMC (Switch Management Card) with the
second-generation SMC-B. |
PAN-175545 | ( PAN-OS 10.1.2 and later versions )
The PA-410 does not write session logs locally. As a result, the
PAN-OS Web Interface does not display any logs in the Monitor tab. |
PAN-174817 | When an external dynamic list is added to
an Anti-Spyware Profile and configured as an allow list, the EDL
policy action of allow does not have precedence over the domain
policy action specified under DNS Security. As a result, when there
is a domain match to an entry in the EDL and a DNS Security domain
category, the action specified under DNS Security is still applied,
even when the EDL is explicitly configured with an action of Allow. Workaround :
Configure the EDL with an Alert action. This generates threat logs
on the firewall but will apply the EDL action instead of DNS Security
action. Alternatively, add DNS domain exceptions to the DNS Domain/FQDN
Allow List located in the DNS Exceptions tab
in your Anti-Spyware Profile. |
PAN-174784 | Up to 100,000 daily summary logs can be
processed for Scheduled and Run Now custom reports ( Monitor Manage Custom Reports |
PAN-174442 | When a Certificate Profile ( Device >
Certificate Management > Certificate Profile ) is configured
to Block session if certificate status cannot be retrieved within
timeout , the firewall allows client certificate validation to
go through even if the CRL Distribution Point or OCSP Responder
is unreachable.Workaround: You must also enable Block
session if certificate status is unknown to ensure Block session
if certificate status cannot be retrieved within timeout is
effective. |
PAN-174038 | In an SD-WAN configuration, when a GlobalProtect Gateway
is terminated on a loopback interface, if the tunnel protocol is
udp-encapsulated ESP (IPSec), the return traffic from the Gateway
toward the client is load-balanced across all of the SD-WAN member interfaces
and cannot be subjected to an SD-WAN policy. |
PAN-172401 | The PA-400 Series data port drops traffic
when the local link speed is forced to 10Mbs/100Mbs while the remote peer
link speed is set to autonegotiate. |
PAN-172383 | When the App-ID Cloud Engine (ACE) is enabled
on Panorama and you downgrade from PAN-OS 10.1 to PAN-OS 10.0, it
takes a longer time than expected for the software installation
to complete. The amount of time depends on the size of the ACE configuration
(how many ACE App-IDs are used in Security policy, either directly
or through an Application Filter or an Application Group). The
extra time is required to check for cloud application references,
including processing time to check references for applications,
application containers, application types, and application tags
across the entire configuration. It also takes extra time to check
for redundancy between predefined (content-provided) and cloud applications, and
after all checks are complete, to produce a list of ACE applications
that you must remove from Security policy before the downgrade can
succeed. |
PAN-172302 | ( PAN-OS 10.1.0 and 10.1.1 ) The
PA-400 Series management port link goes down when a remote peer link
speed is set to Auto OFF or forced to 100Mbs. |
PAN-171283 | When you run the App-ID Cloud Engine (ACE)
service on firewalls in an HA cluster, after a cluster failover,
the sessions based on ACE App-IDs move to the failover firewall.
However, as with other applications, on failover some session information
is not retained. For ACE App-IDs, the operational command admin@pan-os-fw> show session id <session> shows the
application as being 0 instead of showing
the name of the application. This does not affect Security policy enforcement
after the failover. |
PAN-171057 | Policies Security Policy Optimizer New App Viewer For example, a Security policy allow
rule includes an app container for the “exampleapp” application.
The firewall sees the functional application “exampleapp-post” for
the first time. Because the allow rule includes the new app’s container,
the firewall should not see it as a new application. However, the New
App Viewer shows the rule as having seen a new application
even though the app container includes it in the rule. |
PAN-168234 | The Cisco TrustSec, Zero Touch Provisioning
(ZTP), and Enterprise Data Loss Prevention (DLP) plugins are not supported
on a Panorama™ management server in FIPS-CC mode and cause a commit
failure if installed on Panorama in FIPS-CC mode. |
PAN-167996 | When the firewall downloads App-IDs from
the App-ID Cloud Engine, if the App-ID of a cloud-delivered application
is the same as a the App-ID of a custom application that already
exists on the firewall, the commit fails. (Two applications cannot
have the same App-ID.) Workaround: Rename the custom
application to remove the conflict with the cloud-delivered App-ID,
or if the custom application and cloud-delivered application are the
same application, you can delete the custom application and use
the cloud-delivered application. |
PAN-167335 | Only packets within the first client-to-server
HTTP/1.0 and HTTP/1.1 transaction header sections are matched against
cloud-based App-ID signatures. This means that after the first transaction,
functional apps are identified as base applications. |
PAN-165116 | When you Commit changes
on the firewall, if you configure a Security policy rule with an
application that has application dependencies (the application depends
on other applications to work) and you did not add the application
dependencies to the rule, a warning appears that shows the application
dependencies to add to the rule. For example, if you configure a
rule with the “google-surveys-base” application but do not add the application
dependency “google-base” to the rule, the commit warning appears.For
App-ID Cloud Engine (ACE) applications, the application dependency
warning only appears if you add the ACE application to the rule
directly or using an Application Group. If you add ACE applications
to the rule using an Application Filter, then commit actions don’t warn
you if application dependencies are missing. |
PAN-159293 | Certification Revocation List (CRL)
in Distinguished Encoding Rules (DER) format may erroneously return errors
for VM-Series firewalls despite being able to successfully pull
the CRL to verify that the syslog server certificate is still valid. |
PAN-152433 | When you have an active/passive HA pair
of PA-3200 Series firewalls running PAN-OS 10.0.0 with NAT configured,
if you upgrade one firewall to PAN-OS 10.0.1, the firewall goes
to non-functional state due to a NAT oversubscription mismatch between
the HA peers. The same non-functional state results if both HA peers
are running PAN-OS 10.0.1 and you downgrade one to PAN-OS 10.00.
The upgraded or downgraded firewall goes to non-functional state
because PAN-OS 10.0.0 and 10.0.1 have different default NAT oversubscription
rates. Workaround : After an upgrade or downgrade, modify the
NAT oversubscription rate on one firewall so that the rates on the
HA pair match. |
PAN-146573 | PA-7000 Series firewalls configured with
a large number of interfaces experience impacted performance and possible
timeouts when performing SNMP queries. |
PAN-121678 | ( PA-7000b Series only ) The following
error during secure boot has no impact and can be ignored:[ 0.672461] Device 'efifb.0' does not have a release() function, it is broken and must be fixed.[ 2.026107] EFI: Problem loading in-kernel X.509 certificate (-65)Maintenance Mode filesystem size: 2.0G |
PAN-106675 | After upgrading the Panorama management
server to PAN-OS 8.1 or a later release, predefined reports do not display
a list of top attackers. Workaround: Create new threat
summary reports (Monitor PDF
Reports Manage PDF Summary |
PAN-99845 | After an HA firewall fails
over to its HA peer, sessions established before the failover might
not undergo the following actions in a reliable manner:
|
PAN-41558 | When you use a firewall loopback interface
as a GlobalProtect gateway interface, traffic is not routed correctly
for third-party IPSec clients, such as strongSwan. Workaround: Use
a physical firewall interface instead of a loopback firewall interface
as the GlobalProtect gateway interface for third-party IPSec clients.
Alternatively, configure the loopback interface that is used as
the GlobalProtect gateway to be in the same zone as the physical
ingress interface for third-party IPSec traffic. |
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
